- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE : vpn -- SA lifetime posted 11/12/2006
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Phase 2 sa lifetimes need to be equal I believe at oth sides.
However Phase 1 sa lifetime of the initiator needs to be smaller than the one of the server. 

-- Richard

-----Message d'origine-----
De : nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] De la part de Tim
Envoyi : Sunday, November 12, 2006 1:57 PM
@ : security@xxxxxxxxxxxxxx; ccielab@xxxxxxxxxxxxxx
Objet : vpn -- SA lifetime

Hi guys,


Lifetimes, for both the mgmt SA (ISAKMP) and the data SA's (IPSec), can be
configured independently.


That being the case, does it matter what the values are relative to one


IOW, should the lifetime for the mgmt SA be equal to, smaller than or larger
than the data lifetime?


Is there a "Best Practice" when it comes to selecting these values?


I know the lifetime parameter can be left at its default value but I'd like
to know if one value is changed, should the other value also be changed and
how to think about this issue.


Thanks very much for any feedback on this.



Subscription information may be found at:

Any opinions expressed in the email are those of the individual and not necessarily the company. This email and any files transmitted with it are confidential and solely for the use of the intended recipient.  If you are not the intended recipient or the person responsible for delivering it to the intended recipient, be advised that you have received this email in error and that any dissemination, distribution, copying or use is strictly prohibited.

If you have received this email in error, or if you are concerned with the content of this email please e-mail to:

The contents of an attachment to this e-mail may contain software viruses which could damage your own computer system. While the sender has taken every reasonable precaution to minimise this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should carry out your own virus checks before opening any attachments to this e-mail.